|Andy Greenberg| Just as antivirus researchers congratulated Apple for keeping the iPhone free of nasty apps five full years after its release, spammers seem to have finally tarnished that spotless record.
Antivirus researchers at Kaspersky say they’ve spotted an app known as “Find and Call” in both the iPhone App Store and Google’s Play market that secretly uploads all of a user’s contacts to a remote server and then sends text message and email spam to every number and email address listed in his or her phonebook.
Those messages, written in Russian and first reported by Russian mobile carrier MegaFon, simply advertise the app and include a link to a download site. But the app, which advertises itself as a tool for aggregating and simplifying contacts, doesn’t warn users it plans to upload their entire phonebook and mass-text and mass-email everyone they know. Add in the fact that it also spoofs the user’s number so that text messages appear to come from a trusted sender’s phone, and “Find and Call” almost certainly qualifies as the scummiest app to ever find its way past Apple’s significant security measures.
“It’s not for the first time when we see incidents related to user’s personal data and its leakage” in the iOS app store, writes Kaspersky researcher Denis Maslennikov in a blog post. “[But] it’s for the first time when we have a confirmed case of malicious usage of such data…Yes, these pieces of malware are not that ‘cybercriminalistic’. But malware is malware and in this case it steals user’s phone book and uses it for SMS spam.”
In a followup interview, Maslennikov told me that most or all users currently plagued by the spam app seem to be Russian, based on Russian-language complaints in the comments on the app in Google and Apples’ app markets. But there’s nothing to prevent users from other countries from downloading the app and having their contacts spammed, Maslennikov warns.
“The program sends the messages without notifying the user. Don’t download it!” reads one Russian comment on the app in the App Store. “Unbelievable,” reads another. “The application sends the SMS to all contacts from the contact list. Please delete it from the App Store!”
Maslennikov says Kaspersky has contacted both Google and Apple about the malware and expects that it will be removed from both app platforms soon. I also reached out to the two companies but haven’t yet heard back from either.
Update: Apple seems to have removed the app from the App Store.
Unlike more clearly criminal malware, the company behind “Find and Call” advertises itself in the open, including on acorporate website. That site doesn’t say much about the app’s creators. But by making a payment to the app’s PayPal account, Kaspersky traced the program to another company called Wealth Creation Laboratory, which lists a Singapore address and a director and co-founder named Sergey Bogatyrev. I called the company and will update this post if I hear back.
Update: I spoke by phone with Bogatyrev in Singapore, who tells me he has no connection to “Find and Call” and couldn’t offer any explanation as to how Kaspersky traced the app’s payment account to his website.
“Find and Call” hardly represents a real threat to iPhone users–more of a aggressive marketing annoyance at worst. And for Android, it’s barely an abberration, given that Google-targeted malware appears on a regular basis. But for Apple, it represents a rare chink in iOS’s armor. The only malicious apps to ever affect the company’s mobile platform in the past have either been mere proof-of-concept experiments created by researchers or were targeted at jailbroken phones.
Coming on the heels of the first mass botnet to target Mac OSX, an in-the-wild iPhone spam app isn’t happy news for Apple’s security team.